Setup and Configuration of openVPN Server on Centos 7


In this article, We’ll teach you how to install and configure an OpenVPN server on CentOS 7. OpenVPN is one of the most commonly used virtual private network (VPN) software solutions for establishing stable point-to-point or site-to-site connections. While this guide should operate on other Linux VPS systems, it was tested and written specifically for CentOS 7.

Installing OpenVPN on CentOS7 is simple; simply follow the steps below and you’ll be finished in under 10 minutes.

How to Install OpenVPN on CentOS 7

Step 1 Installing open vpn


yum update -y

yum install epel-release -y


2. Update the repositories again:

yum update -y

3. You can now install OpenVPN with the command:

yum install -y openvpn

Step 2 Installing Easy RSA 

1. To download the easy RSA package, use the wget command.

yum install -y wget


2. latest version of the CLI utility is 3.0.8, which we will download. 



3. Extract the downloaded archive


tar -xf v3.0.8.tar.gz

4. Create and move into a new openvpn directory:

cd /etc/openvpn/

5. Then, create a subdirectory easy-rsa under the path /etc/openvpn:

mkdir /etc/openvpn/easy-rsa

6. Move the extracted directory into /etc/openvpn/easy-rsa:

mv /root/easy-rsa-3.0.8 /etc/openvpn/easy-rsa


Step 3 Configure open VPN

1. The first step is to copy the sample server.conf file from OpenVPN’s documentation directory:

cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn

2. Search for its location using the find command:

find / -name server.conf

3. Then, open the copied configuration file with a text editor of your choice:

vi etc/openvpn/server.conf

The comments in the file begin with a hashtag # or a semicolon.


4. Then, generate a static encryption key to enable TLS authentication. To do that, locate the line tls-auth ta.key 0 and comment it by adding ; in front of it. Then, add a new line under it:

tls-crypt myvpn.tlsauth


5. Save and exit the configuration file.

6. Finally, generate the static encryption key specified in the file with the command:

openvpn –genkey –secret /etc/openvpn/myvpn.tlsauth

Step 4 Generate Keys and Certificates

1. Create a vars configuration file using vars. example stored in the /easy-rsa/easyrsa3 directory.

cd /etc/openvpn/easy-rsa/easyrsa3

2. You can list the contents using the ls command to check whether you have the vars. example file.

3. Copy the sample file vars. example under the name vars:

cp vars.example vars

4. Open the vars file in a text editor of your choice:

vi vars

5. Then, find the line specifying the KEY_NAME and change it to “server”:

export KEY_NAME=”server”

6. Clean up any previous keys and generate the certificate authority:

./easyrsa clean-all

 7. Now, you can move on to building the certificate authority with the build-ca script. Run the command:

./easyrsa build-ca

8. Create a key and certificate

./easyrsa build-server-full server


9. Next, generate a Diffie-Hellman key exchange file by running:

./easyrsa gen-dh


10. Generate them on the server and then copy them on the client machine.

./easyrsa build-client-full client1

11. Once you have generated the keys and certificates, copy them from pki into the openvpn directory. cd /etc/openvpn/easy-rsa/easyrsa3/pkiTherefore, copy ca.crt and dh.pem into the openvpn directory first:

cp ca.crt dh.pem /etc/openvpn

Step 5 Firewall and Routing Configuration

A. Set Firewall Rules

1. Check your active firewalld zone:

firewall-cmd –get-active-zones

2. Add the openvpn service to the list of services firewalld allows within the active zone.

firewall-cmd –zone=public –add-service openvpn

3. Next, make the settings above permanent by running the command:

firewall-cmd –zone=public –add-service openvpn –permanent

4. To check whether the openvpn service was added use:

firewall-cmd –list-services –zone=public

5. Then, add a masquerade to the runtime instance:

firewall-cmd –add-masquerade

6. And make it permanent:

firewall-cmd –add-masquerade –permanent

7. Verify the masquerade was added by running:

firewall-cmd –query-masquerade


B. Routing the Configuration

1. In the command below, the variable is named VAR.

VAR=$(ip route get | awk ‘NR==1 {print $(NF-2)}’)

2. Next, permanently add the routing rule using the variable created above:

firewall-cmd –permanent –direct –passthrough ipv4 -t nat -A POSTROUTING -s -o $VAR -j MASQUERADE

3. Reload firewalld for the changes to take place:

firewall-cmd –reload

4. Move on to routing all web traffic from the client to the server’s IP address by enabling IP forwarding. Open the sysctl.conf file:

vi /etc/sysctl.conf

5. Add the following line at the top of the file:

net.ipv4.ip_forward = 1

6. Finally, restart the service:

systemctl restart network.service

Step 6 Start OpenVPN

1. To start the OpenVPN service, run the command:

systemctl -f start [email protected]

2. Then, enable it to start up at boot by running:

systemctl -f enable [email protected]

3. Verify the service is active with:

systemctl status [email protected]

Step 7: Configure an OpenVPN Client

1. Create a configuration file for the OpenVPN client under the name client.ovpn on the client machine:

vi client.ovpn

2. Add the following content to the file:



ca /path/to/ca.crt

cert /path/to/client.crt

key /path/to/client.key

tls-crypt /path/to/myvpn.tlsauth

remote-cert-eku “TLS Web Client Authentication”

proto udp

remote your_server_ip 1194 udp

dev tun

topology subnet


user nobody

group nobody

3. Save and close the file.

For Linux Users

OpenVPN –config /path/to/client.ovpn


For Windows Users

1. First, copy the client.ovpn configuration file in the C:\Program Files\OpenVPN\config directory.

2. Download and install the OpenVPN application. Once you have installed the application, launch OpenVPN.

3. Right-click the OpenVPN system tray icon and select Connect. To perform this task, you need administrative privileges.


You should have successfully installed and configured OpenVPN on a CentOS server after reading this post. You should also know how to connect to the OpenVPN server using a Linux, Windows, or macOS client computer.

Written by

Leave a comment

Open chat